From 4eb39310d746fb78fbb57de2a5de2d074b0409c9 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 18 Dec 2025 12:46:48 +0000 Subject: [PATCH] Add content from: Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C... --- src/SUMMARY.md | 1 + .../malware-analysis.md | 51 +++++++++++++++++++ .../inputmethodservice-ime-abuse.md | 1 + 3 files changed, 53 insertions(+) diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 727a26a3a9a..5c74e762cdf 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -372,6 +372,7 @@ - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md) - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md) - [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md) + - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md) - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md) - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md) - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md) diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md index f76ed9e1d67..455aa897868 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md @@ -528,6 +528,56 @@ See the dedicated page: adaptixc2-config-extraction-and-ttps.md {{#endref}} +## Kimwolf Android Botnet Tradecraft + +### APK loader & native ELF execution on TV boxes +- Malicious APKs such as `com.n2.systemservice06*` ship a statically linked ARM ELF inside `res/raw` (e.g. `R.raw.libniggakernel`). A `BOOT_COMPLETED` receiver runs at startup, extracts the raw resource to the app sandbox (e.g. `/data/data//niggakernel`), makes it executable and invokes it with `su`. +- Many Android TV boxes/tablets ship pre-rooted images or world-writable `su`, so the loader reliably boots the ELF with UID 0 even without an exploit chain. Persistence comes “for free” because the receiver relaunches after every reboot or app restart. +- Reverse engineers hunting for this pattern can diff `AndroidManifest.xml` for hidden boot receivers plus code that references `Resources.openRawResource` → `FileOutputStream` → `Runtime.getRuntime().exec("su")`. Once the ELF is dropped, triage it as a Linux userland backdoor (Kimwolf is UPX-packed, stripped, statically linked, 32-bit ARM EABI5). + +### Runtime mutexes & masquerading IOCs +- Upon start, Kimwolf binds an **abstract UNIX domain socket** such as `@niggaboxv4`/`@niggaboxv5`. Existing sockets force an exit, so the socket name works as both a mutex and a forensic artifact. +- The process title is overwritten with service-looking names (`netd_services`, `tv_helper`, etc.) to blend into Android process listings. Host-based detections can alert on these names combined with the mutex socket. + +### Stack XOR string decoding with ARM NEON + flare_emu +- Sensitive strings (C2 domains, resolvers, DoT endpoints) are pushed onto the stack in encrypted 8-byte blocks and decoded in-place via `VEOR Qx, Qx, Qy` (`veorq_s64`). Analysts can script **flare_emu** to catch the decrypted pointer each time the decryptor hands it to the caller: +```python +import flare_emu + +eh = flare_emu.EmuHelper() + +def hook(eh, addr, argv, _): + if eh.isValidEmuPtr(argv[1]): + print(hex(addr), eh.getEmuString(argv[1])) + +eh.iterate(0x8F00, hook) # sub_8F00 consumes the plaintext R1 argument +``` +- Searching for `VEOR Q8, Q8, Q9` / `veorq_s64` sequences and emulating their ranges mass-dumps every decrypted string, bypassing the stack-only lifetime of the plaintext. + +### DNS-over-TLS resolution plus XOR IP derivation +- All Kimwolf variants resolve C2 domains by speaking **DNS-over-TLS (TCP/853)** directly with Google (8.8.8.8) or Cloudflare (1.1.1.1), defeating plain DNS logging or hijacking. +- v4 bots simply use the returned IPv4 A record. v5 bots treat the A record as a 32-bit integer, swap its endianness, XOR it with the constant `0x00ce0491`, then flip the endianness back to obtain the real C2 IP. CyberChef recipe: Change IP format → swap endianness per 4-byte chunk → XOR with `00 ce 04 91` → convert back to dotted decimal. + +### ENS / EtherHiding fallback +- Later builds add an ENS domain (`pawsatyou.eth`) whose resolver text key `"lol"` stores a benign-looking IPv6 (`fed0:5dec:...:1be7:8599`). +- The bot grabs the last four bytes (`1b e7 85 99`), XORs them with `0x93141715`, and interprets the result as an IPv4 C2 (`136.243.146.140`). Updating the ENS text record instantly rotates downstream C2s via the blockchain without touching DNS. + +### TLS + ECDSA authenticated command channel +- Traffic is encapsulated in wolfSSL with a custom framed protocol: +```go +struct Header { + Magic [4]byte // e.g. "DPRK", "FD9177FF", "AD216CD4" + Reserved uint8 // 0x01 + MsgType uint8 // verb + MsgID uint32 + BodyLen uint32 + CRC32 uint32 +} +``` +- Bootstrap: the bot sends two empty `MsgType=0 (register)` headers. The C2 replies with `MsgType=1 (verify)` containing a random challenge plus an ASN.1 DER **ECDSA** signature. Bots verify it against an embedded SubjectPublicKeyInfo blob; failures terminate the session, preventing hijacked/sinkholed C2 nodes from tasking the fleet. +- Once verified, the bot sends a `MsgType=0` body carrying the operator-defined **group string** (e.g. `android-postboot-rt`). If the group is enabled, the C2 responds with `MsgType=2 (confirm)`, after which tasking (MsgType 5–12) begins. +- Supported verbs include SOCKS-style TCP/UDP proxying (residential proxy monetization), reverse shell / single command exec, file read/write, and **Mirai-compatible DDoSBody** payloads (same `AtkType`, `Duration`, `Targets[]`, `Flags[]` layout). + ## References - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/) @@ -544,5 +594,6 @@ adaptixc2-config-extraction-and-ttps.md - Android Find My Device (Find Hub) – [google.com/android/find](https://www.google.com/android/find) - RftRAT/RFTServer technical analysis – [asec.ahnlab.com](https://asec.ahnlab.com/en/59590/) - HMAC background – [wikipedia.org/wiki/HMAC](https://en.wikipedia.org/wiki/HMAC) +- Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations – [blog.xlab.qianxin.com](https://blog.xlab.qianxin.com/kimwolf-botnet-en/) {{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md index 878d498c40e..8251e907770 100644 --- a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md +++ b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md @@ -81,3 +81,4 @@ adb shell ime help - **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices. - **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI). +{{#include ../../banners/hacktricks-training.md}}